(1) Field of Invention
The present invention relates to an anomaly detection system and, more specifically, to a system for detecting anomalies on CAN bus data using sparse and low rank decomposition.
(2) Description of Related Art
Anomaly detection is the process by which anomalous data can be detected to prevent attacks or intrusion of malicious data. Many known attacks on automobiles involve some form of spoofing or altering CAN bus messages. For instance, if an attacker can cause another module to go into diagnostic mode, they can stop that module's messages from appearing on the bus, which allows the attacker to replace those messages with their own. Depending on the module, these spoof messages can potentially put passengers in serious danger.
Attempts have been made to address this issue. For instance, the researchers in Tayler proposed a frequency-based anomaly detection method to compare current and historical packet timing (see the List of Incorporated Literature References below, Reference No. 6). Their algorithm measures inter-packet timing over a sliding window. They found that the Hamming distance of data packets was an unreliable measure of normality. The inter-packet timing statistic is reliable for detecting inserted packets, with a one-class support vector machine. However, if the normal packet is not periodic, then detection of extra insertions could be more challenging. Moreover, their method is unlikely to work for other types of attacks, such as changing the packet order.
Thus, a continuing need exists for a system that for anomaly detection on CAN bus data.